From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001 From: Nikola Knazekova Date: Thu, 3 Nov 2022 11:33:59 +0100 Subject: [PATCH] Add watch_sb interfaces Add interafaces that allow watch_sb user temporary directories, tmpfs directories, boot and root directories. Create watch_sb_dirs_pattern and watch_sb_dir_perms --- policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++ policy/modules/kernel/filesystem.if | 18 +++++++++++++++ policy/modules/system/userdomain.if | 18 +++++++++++++++ policy/support/file_patterns.spt | 4 ++++ policy/support/obj_perm_sets.spt | 1 + 5 files changed, 77 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 046db519bb..eb9e6e032c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',` allow $1 root_t:dir write; ') +######################################## +## +## Watch_sb root directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_sb_root_dirs', ` + gen_require(` + type root_t; + ') + + watch_sb_dirs_pattern($1, root_t, root_t) +') + ######################################## ## ## Do not audit attempts to write to / dirs. @@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',` allow $1 boot_t:dir watch_dir_perms; ') +######################################## +## +## Watch_sb boot directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_sb_boot_dirs', ` + gen_require(` + type boot_t; + ') + + watch_sb_dirs_pattern($1, boot_t, boot_t) +') + ######################################## ## ## Watch_mount directories in /boot. diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index bb2f077f6d..d7645a534f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', ` allow $1 tmpfs_t:dir mounton; ') +######################################## +## +## Watch_sb tmpfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_watch_sb_tmpfs', ` + gen_require(` + type tmpfs_t; + ') + + watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t) +') + ######################################## ## ## Get the attributes of a tmpfs diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e8817429b2..62bc19c654 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',` watch_dirs_pattern($1, user_tmp_t, user_tmp_t) ') +####################################### +## +## Watch_sb user temporary directories +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_watch_sb_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t) +') + ####################################### ## ## Watch_mount user temporary directories diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index c832c0dab0..57581a8573 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:dir watch_reads_dir_perms; ') +define(`watch_sb_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_sb_dir_perms; +') define(`watch_with_perm_dirs_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:dir watch_with_perm_dir_perms; diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 85283eb1e5..c76a77fac9 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') define(`watch_dir_perms',`{ getattr watch }') define(`watch_mount_dir_perms',`{ getattr watch_mount }') define(`watch_reads_dir_perms',`{ getattr watch_reads }') +define(`watch_sb_dir_perms',`{ getattr watch_sb }') define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }') #